Error in FXM – No 'Access-Control-Allow-Origin' header is present on the requested resource

  • Under the circumstances listed in the following sections, the AJAX requests of the Federated Experience Manager (FXM) Beacon script fail. The following error can be found in the browser console:

    XMLHttpRequest cannot load 
    No 'Access-Control-Allow-Origin' header is present on the requested resource.
    Origin '' is therefore not allowed access.

    This issue can be caused by the following reasons:

  • The following function is called from the custom code at the time when the ServicesWebApiInitializer processor of the initialize pipeline has not been executed yet:


    This can be, for example, in the Application_Start() method of the Global.asax file, or in a custom initialize pipeline processor placed before the ServicesWebApiInitializer processor. Also, it can be a third-party library that allows subscription to the application initialization. For example, the WebActivatorEx library allows specification of an initialization method using the PreApplicationStartMethod attribute.

  •  To resolve this issue:

    1. Find the place in your code or in the third-party component that calls the GlobalConfiguration.Configure() method.
    2. Insert the following code before this place, then compile and deploy the changes to your website:
  • A redirection is configured in IIS or in the web.config file (for example, using the URL Rewrite IIS module). When the AJAX Beacon request is redirected, it loses the CORS headers, which causes the issue.

  • To resolve this issue: 

    • Configure the redirection rules to not redirect the requests to the /sitecore/api/ssc/Beacon/Service path.
  • If your Sitecore XP solution is hosted on Azure Web Apps, the reason for the issue can be the CORS headers configured on the App Service level. If Azure App Service is configured to set any custom CORS headers, it overwrites any CORS headers that were set by FXM code.

  • To resolve this issue:

    • Make sure that no CORS headers are added in the configuration of your App Service (API, CORS) section. If there are any, consider removing them.

Applies to:

CMS 8.0 Initial Release+

June 30, 2017
August 11, 2017

Reference number:



  • Federated Experience Manager